9.8

CVE-2023-4501

User authentication with username and password credentials is ineffective in OpenText (Micro Focus) Visual COBOL, COBOL Server, Enterprise Developer, and Enterprise Server (including product variants such as Enterprise Test Server), versions 7.0 patch updates 19 and 20, 8.0 patch updates 8 and 9, and 9.0 patch update 1, when LDAP-based authentication is used with certain configurations. When the vulnerability is active, authentication succeeds with any valid username, regardless of whether the password is correct; it may also succeed with an invalid username (and any password). This allows an attacker with access to the product to impersonate any user.

Mitigations: The issue is corrected in the upcoming patch update for each affected product. Product overlays and workaround instructions are available through OpenText Support. The vulnerable configurations are believed to be uncommon.

Administrators can test for the vulnerability in their installations by attempting to sign on to a Visual COBOL or Enterprise Server component such as ESCWA using a valid username and incorrect password.

Data is provided by the National Vulnerability Database (NVD)
MicrofocusCobol Server Version7.0 Updatepatch_update_19
MicrofocusCobol Server Version7.0 Updatepatch_update_20
MicrofocusCobol Server Version8.0 Updatepatch_update_8
MicrofocusCobol Server Version8.0 Updatepatch_update_9
MicrofocusCobol Server Version9.0 Updatepatch_update_1
MicrofocusEnterprise Developer Version7.0 Updatepatch_update_19
MicrofocusEnterprise Developer Version7.0 Updatepatch_update_20
MicrofocusEnterprise Developer Version8.0 Updatepatch_update_8
MicrofocusEnterprise Developer Version8.0 Updatepatch_update_9
MicrofocusEnterprise Developer Version9.0 Updatepatch_update_1
MicrofocusEnterprise Server Version7.0 Updatepatch_update_19
MicrofocusEnterprise Server Version7.0 Updatepatch_update_20
MicrofocusEnterprise Server Version8.0 Updatepatch_update_8
MicrofocusEnterprise Server Version8.0 Updatepatch_update_9
MicrofocusEnterprise Server Version9.0 Updatepatch_update_1
MicrofocusEnterprise Test Server Version7.0 Updatepatch_update_19
MicrofocusEnterprise Test Server Version7.0 Updatepatch_update_20
MicrofocusEnterprise Test Server Version8.0 Updatepatch_update_8
MicrofocusEnterprise Test Server Version8.0 Updatepatch_update_9
MicrofocusEnterprise Test Server Version9.0 Updatepatch_update_1
MicrofocusVisual Cobol Version7.0 Updatepatch_update_19
MicrofocusVisual Cobol Version7.0 Updatepatch_update_20
MicrofocusVisual Cobol Version8.0 Updatepatch_update_8
MicrofocusVisual Cobol Version8.0 Updatepatch_update_9
MicrofocusVisual Cobol Version9.0 Updatepatch_update_1
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Type Source Score Percentile
EPSS FIRST.org 0.17% 0.394
CVSS Metriken
Source Base Score Exploit Score Impact Score Vector string
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
security@opentext.com 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE-253 Incorrect Check of Function Return Value

The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-305 Authentication Bypass by Primary Weakness

The authentication algorithm is sound, but the implemented mechanism can be bypassed as the result of a separate weakness that is primary to the authentication error.

CWE-358 Improperly Implemented Security Check for Standard

The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique.